Make apps forcefully debuggable: work-in-progress

Author: ammaraskar

README.md

@@ -36,12 +36,28 @@ ANDROID_SDK_ROOT=/path/to/sdk ./gradlew assemble
 The `deployer` folder in this project contains a convenience application to push the CoverageAgent
 to an Android device using `adb`.
 
-In order to instrument apps that don't have the `android:debuggable` attribute set, you must ensure
-you have root access on the device and `ro.debuggable` is set.
-
 ```bash
 gradle run --args="your.android.package.name"
 ```
 
 It will locate the app's data directory and push the coverage agent into the
 `DATA_DIR/code_cache/startup_agents` directory.
+
+## Using with non-debuggable apps
+
+In order to instrument apps that don't have the `android:debuggable` attribute set, you must ensure
+you have root access on the device and `ro.debuggable` is set. The deployer can toggle the
+debuggable bit in the system process. Firstly, ensure that
+
+```bash
+setprop persist.debug.dalvik.vm.jdwp.enabled 1
+```
+
+is set and restart the device after setting this property.
+
+Next, invoke the deployer with the `--force-debuggable` to have it deploy the coverage agent and
+flip the debug bit for you.
+
+```bash
+gradle run --args="your.android.package.name --force-debuggable"
+```

deployer/build.gradle

@@ -8,6 +8,8 @@ repositories {
 }
 
 dependencies {
+    implementation 'org.jdiscript:jdiscript:0.9.0'
+
     testImplementation 'org.junit.jupiter:junit-jupiter:5.9.1'
 }
 

deployer/src/main/java/com/ammaraskar/coverageagent/Deployer.kt

@@ -4,11 +4,11 @@ import java.io.File
 import java.util.*
 import java.util.concurrent.TimeUnit
 
-class Deployer {
+class Deployer(private val adbDeviceName: String?) {
 
     private val soName = "libcoverage_instrumenting_agent.so"
 
-    fun deploy(packageName: String, adbDeviceName: String?) {
+    fun deploy(packageName: String) {
         println("Instrumenting app $packageName with coverage agent.")
         // Get the architecture of the device.
         val architecture = getDeviceArchitecture(adbDeviceName)
@@ -18,11 +18,11 @@ class Deployer {
         val library = File("runtime_cpp/build/intermediates/merged_native_libs/debug/out/lib/${architecture}/${soName}")
         println("[i] Using library: ${library.absolutePath}")
 
-        runAdbCommand(adbDeviceName, "push", library.absolutePath, "/data/local/tmp/")
+        runAdbCommand("push", library.absolutePath, "/data/local/tmp/")
         println("[+] Pushed library to /data/local/tmp/${soName}")
 
         println("[i] Trying to use run-as to copy to startup_agents")
-        val copyDestinationWithRunAs = tryToCopyLibraryWithRunAs(packageName, adbDeviceName)
+        val copyDestinationWithRunAs = tryToCopyLibraryWithRunAs(packageName)
         if (copyDestinationWithRunAs.isPresent) {
             println("[+] Library copied to ${copyDestinationWithRunAs.get()}")
             return
@@ -31,7 +31,7 @@ class Deployer {
         println("[x] run-as failed, using su permissions instead.")
 
         // Use dumpsys package to figure out the data directory and user id of the application.
-        val dumpSysOutput = runAdbCommand(adbDeviceName, "shell", "dumpsys", "package", packageName)
+        val dumpSysOutput = runAdbCommand("shell", "dumpsys", "package", packageName)
 
         var dataDir: String? = null
         var userId: String? = null
@@ -46,33 +46,33 @@ class Deployer {
         }
         println("[i] Grabbed app's dataDir=$dataDir and userId=$userId")
 
-        runAdbCommand(adbDeviceName,
+        runAdbCommand(
                 "shell", "su", userId, "\"mkdir -p $dataDir/code_cache/startup_agents/\"")
-        runAdbCommand(adbDeviceName,
+        runAdbCommand(
                 "shell", "su", userId, "\"cp /data/local/tmp/${soName} $dataDir/code_cache/startup_agents/\"")
         println("[+] Library copied to $dataDir/code_cache/startup_agents/")
     }
 
     private fun getDeviceArchitecture(adbDeviceName: String?): String {
-        return runAdbCommand(adbDeviceName, "shell", "getprop", "ro.product.cpu.abi").trim()
+        return runAdbCommand("shell", "getprop", "ro.product.cpu.abi").trim()
     }
 
-    private fun tryToCopyLibraryWithRunAs(packageName: String, adbDeviceName: String?): Optional<String> {
+    private fun tryToCopyLibraryWithRunAs(packageName: String): Optional<String> {
         return try {
-            runAdbCommand(adbDeviceName, "shell", "run-as", packageName, "mkdir -p code_cache/startup_agents/")
-            runAdbCommand(adbDeviceName, "shell", "run-as", packageName, "cp /data/local/tmp/${soName} code_cache/startup_agents/")
+            runAdbCommand("shell", "run-as", packageName, "mkdir -p code_cache/startup_agents/")
+            runAdbCommand("shell", "run-as", packageName, "cp /data/local/tmp/${soName} code_cache/startup_agents/")
 
-            Optional.of(runAdbCommand(adbDeviceName, "shell", "run-as", packageName, "pwd"))
+            Optional.of(runAdbCommand("shell", "run-as", packageName, "pwd"))
         } catch (e: RuntimeException) {
             Optional.empty()
         }
     }
 
-    private fun runAdbCommand(adbDeviceName: String?, vararg command: String): String {
+    fun runAdbCommand(vararg command: String): String {
         val adbCommand = mutableListOf("adb")
-        if (adbDeviceName != null) {
+        if (this.adbDeviceName != null) {
             adbCommand.add("-s")
-            adbCommand.add(adbDeviceName)
+            adbCommand.add(this.adbDeviceName)
         }
         adbCommand.addAll(command)
         return runCommandAndGetOutput(adbCommand)
@@ -100,9 +100,16 @@ class Deployer {
 
 fun main(args: Array<String>) {
     if (args.isEmpty()) {
-        println("Usage: Deployer <android-package-name> [adb-device-name]")
+        println("Usage: Deployer <android-package-name> [--device=adb-device-name] [--force-debuggable]")
         return
     }
 
-    Deployer().deploy(packageName = args[0], adbDeviceName = args.getOrNull(1))
+    val deviceName = args.filter { it.startsWith("--device=") }.map { it.replace("--device=", "") }.firstOrNull()
+
+    val deployer = Deployer(deviceName)
+    if ("--force-debuggable" in args) {
+        ForceAppDebuggable(deployer).makeDebuggable(packageName = args[0])
+    }
+
+    deployer.deploy(packageName = args[0])
 }

deployer/src/main/java/com/ammaraskar/coverageagent/ForceAppDebuggable.kt

@@ -0,0 +1,103 @@
+package com.ammaraskar.coverageagent
+
+import com.sun.jdi.*
+import org.jdiscript.JDIScript
+import org.jdiscript.util.VMSocketAttacher
+import java.lang.IllegalArgumentException
+
+/**
+ * Local port to forward the jdwp connection to.
+ */
+const val HOST_PORT = 8690;
+
+const val PACKAGE_SETTINGS_CLASS = "com.android.server.pm.PackageSetting";
+
+/**
+ * Forces an app to be debuggable by connecting to Android with a jvm debugger and altering the
+ * PackageManager's memory.
+ */
+class ForceAppDebuggable(private var deployer: Deployer) {
+
+    fun makeDebuggable(packageName: String) {
+        // Kill any existing adb servers, Android Studio's adb server hijacks all jdwp connections
+        // and makes them not work for any other clients.
+        println("[i] Restarting adb daemon")
+        deployer.runAdbCommand("kill-server")
+        deployer.runAdbCommand("start-server")
+        deployer.runAdbCommand("wait-for-device")
+
+        println("[i] Retrieving pid for system_server")
+
+        val pid = deployer.runAdbCommand("shell", "pidof", "system_server").trim()
+        println("[+] Got system_server pid: $pid")
+
+        println("[i] Forwarding jdwp port for system_server")
+        deployer.runAdbCommand("forward", "tcp:$HOST_PORT", "jdwp:$pid")
+
+        println("[i] Connecting to jdwp socket with jdiscript...")
+        changeDebugFlagWithDebugger(packageName)
+    }
+
+    private fun changeDebugFlagWithDebugger(packageName: String) {
+        val vm = VMSocketAttacher("localhost", HOST_PORT, 30).attach()
+        println("[+] Debugger attached!")
+        val j = JDIScript(vm)
+
+        val packageSettingsClass = j.vm().classesByName(PACKAGE_SETTINGS_CLASS).firstOrNull()
+                ?: throw IllegalStateException("$PACKAGE_SETTINGS_CLASS not found in system server java process");
+
+        var nameField: Field? = null;
+        var flagsField: Field? = null;
+
+        for (field in packageSettingsClass.allFields()) {
+            if (field.name().equals("name", ignoreCase = true) || field.name().equals("mName", ignoreCase = true)) {
+                nameField = field;
+            }
+            if (field.name().equals("pkgFlags", ignoreCase = true)) {
+                flagsField = field;
+            }
+        }
+
+        // Make sure we actually managed to find the fields.
+        if (nameField == null) {
+            throw IllegalStateException("nameField was null :(")
+        }
+        if (flagsField == null) {
+            throw IllegalStateException("flagsField was null :(")
+        }
+
+        for (settings in packageSettingsClass.instances(512)) {
+            val instancePackageName = getJdiValueAsString(settings.getValue(nameField));
+            //println("Package name: $instancePackageName")
+            if (!instancePackageName.equals(packageName, ignoreCase = true)) {
+                continue;
+            }
+
+            val flags = getJdiValueAsLong(settings.getValue(flagsField));
+            println("[+] Found package settings, changing flags.")
+            println("Instance - ${settings.uniqueID()}, mName=$instancePackageName flags=$flags")
+
+            // Binary OR with the debuggable flag, 0x2
+            val newFlags = flags or 0x2
+            settings.setValue(flagsField, j.vm().mirrorOf(newFlags))
+
+            println("[+] Flag changed.")
+        }
+
+        j.vm().dispose()
+    }
+
+    private fun getJdiValueAsLong(value: Value): Int {
+        if (value is IntegerValue) {
+            return value.value();
+        }
+        throw IllegalArgumentException("getJdiValueAsLong called on value of type ${value.type()}")
+    }
+
+    private fun getJdiValueAsString(value: Value): String {
+        if (value is StringReference) {
+            return value.value();
+        }
+        throw IllegalArgumentException("getJdiValueAsString called on value of type ${value.type()}")
+    }
+}